Hello -
I am currently in the process of evaluating packetfence as a NAC solution
and am following the installation guide at
https://www.packetfence.org/doc/PacketFence_Installation_Guide.html to get
started.
After completing the steps in "Section 5: Getting Started." I connected a
laptop to the configured switchport and the network adapter in windows
states "Authentication Failed."
I have confirmed that packetfence successfully joined the Domain and that
the Authentication Source tests successfully.The sAMAccountName in AD
matches DOMAIN\UserName listed below.
When I check auditing I get the following information:
> 04/17/2023 03:35 PM Accept 10.7.14.16 Unregistered b445065c08d7 10.248.0.5
> 04/17/2023 03:35 PM Reject 10.7.14.16
> Unregistered DOMAIN\UserName 10.248.0.5
> 04/17/2023 03:35 PM Reject 10.7.14.16
> Unregistered DOMAIN\UserName 10.248.0.5
here is the output from packetfence.log:
Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> INFO: [mac:b4:45:06:5c:08:d7] handling radius autz request: from switch_ip
> => (10.248.0.5), connection_type => Ethernet-EAP,switch_mac =>
> (28:34:a2:1a:56:b0), mac => [b4:45:06:5c:08:d7], port => 10148, username =>
> "DOMAIN\UserName" (pf::radius::authorize)
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> INFO: [mac:b4:45:06:5c:08:d7] Instantiate profile 8021x
> (pf::Connection::ProfileFactory::_from_profile)
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> INFO: [mac:b4:45:06:5c:08:d7] Found authentication source(s) : 'DC01' for
> realm 'default' (pf::config::util::filter_authentication_sources)
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> INFO: [mac:b4:45:06:5c:08:d7] Using sources DC01 for matching
> (pf::authentication::match2)
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> WARN: [mac:b4:45:06:5c:08:d7] [DC01 catchall] Searching for
> (sAMAccountName= DOMAIN\UserName ), from DC=domain,DC=local, with scope
> sub (pf::Authentication::Source::LDAPSource::match_in_subclass)
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> INFO: [mac:b4:45:06:5c:08:d7] No rules matches or no category defined for
> the node, set it as unreg. (pf::role::getNodeInfoForAutoReg)
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> WARN: [mac:b4:45:06:5c:08:d7] No category computed for autoreg
> (pf::role::getNodeInfoForAutoReg)
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> WARN: [mac:b4:45:06:5c:08:d7] No role specified or found for pid
> DOMAIN\UserName (MAC b4:45:06:5c:08:d7); assume maximum number of
> registered nodes is reached (pf::node::is_max_reg_nodes_reached)
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> ERROR: [mac:b4:45:06:5c:08:d7] no role computed by any sources -
> registration of b4:45:06:5c:08:d7 to DOMAIN\UserName failed
> (pf::registration::setup_node_for_registration)
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> ERROR: [mac:b4:45:06:5c:08:d7] auto-registration of node failed no role
> computed by any sources (pf::radius::authorize)
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> ERROR: [mac:b4:45:06:5c:08:d7] Database query failed with non retryable
> error: Cannot add or update a child row: a foreign key constraint fails
> (`pf`.`node`, CONSTRAINT `0_57` FOREIGN KEY (`pid`) REFERENCES `person`
> (`pid`) ON DELETE CASCADE ON UPDATE CASCADE) (errno: 1452) [INSERT INTO
> `node` ( `autoreg`, `bandwidth_balance`, `bypass_acls`, `bypass_role_id`,
> `bypass_vlan`, `category_id`, `computername`, `detect_date`,
> `device_class`, `device_manufacturer`, `device_score`, `device_type`,
> `device_version`, `dhcp6_enterprise`, `dhcp6_fingerprint`,
> `dhcp_fingerprint`, `dhcp_vendor`, `last_arp`, `last_dhcp`, `last_seen`,
> `lastskip`, `mac`, `machine_account`, `notes`, `pid`, `regdate`,
> `sessionid`, `status`, `time_balance`, `unregdate`, `user_agent`, `voip`)
> VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
> ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE KEY UPDATE `autoreg` = ?,
> `last_seen` = ?, `pid` = ?]{yes, NULL, NULL, NULL, NULL, NULL, NULL,
> 2023-04-17 14:46:50, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
> 0000-00-00 00:00:00, 0000-00-00 00:00:00, 2023-04-17 15:35:12, 0000-00-00
> 00:00:00, b4:45:06:5c:08:d7, NULL, NULL, DOMAIN\UserName , 0000-00-00
> 00:00:00, NULL, unreg, NULL, 0000-00-00 00:00:00, NULL, no, yes, 2023-04-17
> 15:35:12, DOMAIN\UserName } (pf::dal::db_execute)
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> ERROR: [mac:b4:45:06:5c:08:d7] Cannot save b4:45:06:5c:08:d7 error (500)
> (pf::radius::authorize)
> Apr 17 15:35:25 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> INFO: [mac:b4:45:06:5c:08:d7] handling radius autz request: from switch_ip
> => (10.248.0.5), connection_type => Ethernet-NoEAP,switch_mac =>
> (28:34:a2:1a:56:b0), mac => [b4:45:06:5c:08:d7], port => 10148, username =>
> "b445065c08d7" (pf::radius::authorize)
> Apr 17 15:35:25 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> INFO: [mac:b4:45:06:5c:08:d7] Instantiate profile default
> (pf::Connection::ProfileFactory::_from_profile)
> Apr 17 15:35:25 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> INFO: [mac:b4:45:06:5c:08:d7] is of status unreg; belongs into registration
> VLAN (pf::role::getRegistrationRole)
> Apr 17 15:35:25 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> INFO: [mac:b4:45:06:5c:08:d7] (10.248.0.5) Added VLAN 2 to the returned
> RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
> Apr 17 15:35:25 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> WARN: [mac:b4:45:06:5c:08:d7] No parameter registrationRole found in
> conf/switches.conf for the switch 10.248.0.5 (pf::Switch::getRoleByName)
Any guidance would be appreciated.
Thanks,
- Dan
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
